SlideShare a Scribd company logo

閱讀文章分享@若渴 2016.1.24

Download as PPTX, PDF
Aj MaChInE
Aj MaChInE

閱讀文章分享

Presentations & Public Speaking
1 of 17
閱讀文章分享@若渴 2016.1.24 <ajblane0612@gmail.com> AJMachine https://cve4fun.hackpad.com/
關注動態方式 • 閱讀文章我先找出 • 有沒有fb粉專 • 有沒有YouTube訂閱 • Twitter • FB其實蠻好用的 • 粉專->點讚->搶先看 • 每天打開fb看的都是關於資安的新聞 • 分享至自己動態,告知自己要看什麼
SMI到底是軟還是硬呢XD?可軟可硬 • SMM code completely unaccessible from OS and OS can’t even notice when exactly SMI is being executed. There’s a several ways to generate SMI: • Ring 0 code can trigger software SMI at any time by writing some byte value to APMC I/O port B2h. • Internal chipset registers (SMI_EN, GEN_PMCON_1 and others) that accessible via PCI config space allows to enable or disable different kind of hardware SMI sources. • You can route hardware interrupts into SMM by reconfiguring of advanced programmable interrupt controller (APIC) that integrated into CPU. • I/O instruction restart CPU feature (chapter 34.12 of IA-32 Architectures Software Developer’s Manual) allows to generate SMI on any I/O port access by IN or OUT processor instruction. 節錄Building reliable SMM backdoor for UEFI based platforms
Outline •The memory sinkhole •Undefined behavior: what happed to my code •The impact of GPU-assisted malware on memory forensics: a case study •SLOTH •ATM HTTPS bicycle attack
The Memory Sinkhole • In Intel, Ring 3 – Userland, Ring 0 – Kernel, Ring-1 - Hypervisor, Ring-2 – SMM has the firmware, all the most critical security checks • SMM hides from Ring 0 • System Management RAM (SMRAM) is only accessible to SMM • SMM handler • System Management Interrupt (SMI) toggles SMM • SMM handler • 抓DSC structure(Global Descriptor Table, Segment selectors,..)來對此結構初始化 • Attack技巧 • 使用APIC remap,把APIC payload (都為0)對應至DSC structure (SMRAM) • 經過SMM handler執行完會跳至0x10:0x8077的位置去執行。
SMM Security 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
The APIC Remap Attack 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
Undefined Behavior: What Happed to my Code • Undefined behavior • Null Pointer Dereference • Oversize Shit • Singed Integer Overflow • Out-of-Bounds Pointer • Type-Punned Point Deference • Uninitialized Read • 程式碼的行為在C規格書上沒有定義,而c沒有定義的行為,各個 compiler會有不同狀況的處理,有可能把code移除,造成跟預期 結果不一樣,產生漏洞主角: compiler。= =||
Out-of-Bounds Pointer • 指標的加減是Undefined behavior,所以要來看compiler會做什麼事, 如下code • end < buf 會被Clang轉成 • buf + size < buf • size < 0 • 之後它會刪除if (end < buf) { ... } 整個branch ,原本要避免Singed Integer Overflow (!!)
Type-Punned Point Deference • C有嚴格限制aliasing(兩個指標指向同一個記憶體做存取),但你往 往會aliasing導致undefined behavior,此行為會導致compiler沒辦 法最佳化 • 使用C的union,告知compiler我們是 一樣的,如以下code 節錄http://stackoverflow.com/questions/98650/what-is-the-strict-aliasing-rule
PIC/GSM Address Space Layout on Intel Haswell • PIC bus for GPU or DMA • CPU view • MMIO有一部分保留給PIC bus • DRAM view • MMIO記憶體範圍是看不到的,所以就看不到PIC bus • Intel解法 • 在CPU view上設定位置TOLUD至4GB給MMIO,所以DRAM view 就可以看到相同的位置空間。 • Graphic Stolen Memory (GSM) • CPU view大部分不能存取的,有GTT部分可以存取。 • 組成 • Graphics Translation Tables (GTT) : 告知GPU virtual-to-physical 可由BIOS階段設定 • Data Range (programming space)
The Impact of GPU-assisted Malware on Memory Forensics: a Case Study • 建立buffer object 在Graphics Execution Manage (GEM) subsystem(不 在GSM裡),可被CPU和GPU domains看到,使用不同的virtual address • OS page table • graphic page table • 攻擊手法 • GPU修改在GSM的graphic page table,原本對應 buffer object但可經由修 改存取到CPU使用memory的資料。
只是想了解為什麼hash collision跟TLS有關 SLOTH(CVE-2015-7575) 源自Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH
Client 認證可過,代表MitMA可以假 裝Client C
Tyupkin ATM malware in the ATM
你知道台灣人怎做嗎?

Recommended

[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPUAj MaChInE
 
Viny storage—网络游戏数据存储的终极解决方案
Viny storage—网络游戏数据存储的终极解决方案Viny storage—网络游戏数据存储的终极解决方案
Viny storage—网络游戏数据存储的终极解决方案Tencent
 
MySQL Tuning For CPU Bottleneck
MySQL Tuning For CPU BottleneckMySQL Tuning For CPU Bottleneck
MySQL Tuning For CPU BottleneckSky Jian
 
如何针对业务做DB优化
如何针对业务做DB优化如何针对业务做DB优化
如何针对业务做DB优化Jinrong Ye
 
Node分享 展烨
Node分享 展烨Node分享 展烨
Node分享 展烨tb-vertical-guide
 
Kubernetes use-ceph
Kubernetes use-cephKubernetes use-ceph
Kubernetes use-cephYang Guanjun
 
课题二:Node.js那些事儿
课题二:Node.js那些事儿课题二:Node.js那些事儿
课题二:Node.js那些事儿Liu Allen
 

Recommended

[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPUAj MaChInE
 
Viny storage—网络游戏数据存储的终极解决方案
Viny storage—网络游戏数据存储的终极解决方案Viny storage—网络游戏数据存储的终极解决方案
Viny storage—网络游戏数据存储的终极解决方案Tencent
 
MySQL Tuning For CPU Bottleneck
MySQL Tuning For CPU BottleneckMySQL Tuning For CPU Bottleneck
MySQL Tuning For CPU BottleneckSky Jian
 
如何针对业务做DB优化
如何针对业务做DB优化如何针对业务做DB优化
如何针对业务做DB优化Jinrong Ye
 
Node分享 展烨
Node分享 展烨Node分享 展烨
Node分享 展烨tb-vertical-guide
 
Kubernetes use-ceph
Kubernetes use-cephKubernetes use-ceph
Kubernetes use-cephYang Guanjun
 
课题二:Node.js那些事儿
课题二:Node.js那些事儿课题二:Node.js那些事儿
课题二:Node.js那些事儿Liu Allen
 
Cinder isaci 实现原理详解
Cinder isaci 实现原理详解Cinder isaci 实现原理详解
Cinder isaci 实现原理详解Yong Luo
 
使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式Will Huang
 
MySQL技术分享:一步到位实现mysql优化
MySQL技术分享:一步到位实现mysql优化MySQL技术分享:一步到位实现mysql优化
MySQL技术分享:一步到位实现mysql优化Jinrong Ye
 
Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Hang Geng
 
Android开发基础
Android开发基础Android开发基础
Android开发基础ykdsg
 
Windows Container 101: dotNET, Container, Kubernetes
Windows Container 101: dotNET, Container, KubernetesWindows Container 101: dotNET, Container, Kubernetes
Windows Container 101: dotNET, Container, KubernetesWill Huang
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying ConcurrencyAj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACKAj MaChInE
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String AttacksAj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented ProgrammingAj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDAAj MaChInE
 
Unattended Apache BigTop installer CD using preseed
Unattended Apache BigTop installer CD using preseedUnattended Apache BigTop installer CD using preseed
Unattended Apache BigTop installer CD using preseedJazz Yao-Tsung Wang
 
「教出孩子的生存力」讀後心得
「教出孩子的生存力」讀後心得「教出孩子的生存力」讀後心得
「教出孩子的生存力」讀後心得Chih-Yu Lin
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security MasterChong-Kuan Chen
 
Mac protocols sensor_20071105_slideshare
Mac protocols sensor_20071105_slideshareMac protocols sensor_20071105_slideshare
Mac protocols sensor_20071105_slideshareChih-Yu Lin
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
2017-03-27 From Researcher To Product Manager
2017-03-27 From Researcher To Product Manager2017-03-27 From Researcher To Product Manager
2017-03-27 From Researcher To Product ManagerJazz Yao-Tsung Wang
 
COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺宗凡 楊
 
COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺hydai
 
美团前端架构简介
美团前端架构简介美团前端架构简介
美团前端架构简介pan weizeng
 
谈谈模块化
谈谈模块化谈谈模块化
谈谈模块化衡锋 阳
 
twMVC#22 | 什麼鬼的IOC與DI
twMVC#22 | 什麼鬼的IOC與DItwMVC#22 | 什麼鬼的IOC與DI
twMVC#22 | 什麼鬼的IOC與DItwMVC
 

More Related Content

What's hot

Cinder isaci 实现原理详解
Cinder isaci 实现原理详解Cinder isaci 实现原理详解
Cinder isaci 实现原理详解Yong Luo
 
使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式Will Huang
 
MySQL技术分享:一步到位实现mysql优化
MySQL技术分享:一步到位实现mysql优化MySQL技术分享:一步到位实现mysql优化
MySQL技术分享:一步到位实现mysql优化Jinrong Ye
 
Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Hang Geng
 
Android开发基础
Android开发基础Android开发基础
Android开发基础ykdsg
 
Windows Container 101: dotNET, Container, Kubernetes
Windows Container 101: dotNET, Container, KubernetesWindows Container 101: dotNET, Container, Kubernetes
Windows Container 101: dotNET, Container, KubernetesWill Huang
 

What's hot (6)

Cinder isaci 实现原理详解
Cinder isaci 实现原理详解Cinder isaci 实现原理详解
Cinder isaci 实现原理详解
 
使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式
 
MySQL技术分享:一步到位实现mysql优化
MySQL技术分享:一步到位实现mysql优化MySQL技术分享:一步到位实现mysql优化
MySQL技术分享:一步到位实现mysql优化
 
Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03Ceph中国社区9.19 Some Ceph Story-朱荣泽03
Ceph中国社区9.19 Some Ceph Story-朱荣泽03
 
Android开发基础
Android开发基础Android开发基础
Android开发基础
 
Windows Container 101: dotNET, Container, Kubernetes
Windows Container 101: dotNET, Container, KubernetesWindows Container 101: dotNET, Container, Kubernetes
Windows Container 101: dotNET, Container, Kubernetes
 

Viewers also liked

[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying ConcurrencyAj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACKAj MaChInE
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String AttacksAj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented ProgrammingAj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDAAj MaChInE
 
Unattended Apache BigTop installer CD using preseed
Unattended Apache BigTop installer CD using preseedUnattended Apache BigTop installer CD using preseed
Unattended Apache BigTop installer CD using preseedJazz Yao-Tsung Wang
 
「教出孩子的生存力」讀後心得
「教出孩子的生存力」讀後心得「教出孩子的生存力」讀後心得
「教出孩子的生存力」讀後心得Chih-Yu Lin
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security MasterChong-Kuan Chen
 
Mac protocols sensor_20071105_slideshare
Mac protocols sensor_20071105_slideshareMac protocols sensor_20071105_slideshare
Mac protocols sensor_20071105_slideshareChih-Yu Lin
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
2017-03-27 From Researcher To Product Manager
2017-03-27 From Researcher To Product Manager2017-03-27 From Researcher To Product Manager
2017-03-27 From Researcher To Product ManagerJazz Yao-Tsung Wang
 

Viewers also liked (11)

[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
Unattended Apache BigTop installer CD using preseed
Unattended Apache BigTop installer CD using preseedUnattended Apache BigTop installer CD using preseed
Unattended Apache BigTop installer CD using preseed
 
「教出孩子的生存力」讀後心得
「教出孩子的生存力」讀後心得「教出孩子的生存力」讀後心得
「教出孩子的生存力」讀後心得
 
Become A Security Master
Become A Security MasterBecome A Security Master
Become A Security Master
 
Mac protocols sensor_20071105_slideshare
Mac protocols sensor_20071105_slideshareMac protocols sensor_20071105_slideshare
Mac protocols sensor_20071105_slideshare
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
2017-03-27 From Researcher To Product Manager
2017-03-27 From Researcher To Product Manager2017-03-27 From Researcher To Product Manager
2017-03-27 From Researcher To Product Manager
 

Similar to 閱讀文章分享@若渴 2016.1.24

COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺宗凡 楊
 
COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺hydai
 
美团前端架构简介
美团前端架构简介美团前端架构简介
美团前端架构简介pan weizeng
 
谈谈模块化
谈谈模块化谈谈模块化
谈谈模块化衡锋 阳
 
twMVC#22 | 什麼鬼的IOC與DI
twMVC#22 | 什麼鬼的IOC與DItwMVC#22 | 什麼鬼的IOC與DI
twMVC#22 | 什麼鬼的IOC與DItwMVC
 
构建可维护的Javascript 小米网
构建可维护的Javascript 小米网构建可维护的Javascript 小米网
构建可维护的Javascript 小米网yang alex
 
构建可扩展的微博系统
构建可扩展的微博系统构建可扩展的微博系统
构建可扩展的微博系统lonegunman
 
08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x乐费 胡
 
广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化taobao.com
 
为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)Kris Mok
 
Build desktop app_by_xulrunner
Build desktop app_by_xulrunnerBuild desktop app_by_xulrunner
Build desktop app_by_xulrunnerRack Lin
 
網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享Ying-Chun Cheng
 
Btrace intro(撒迦)
Btrace intro(撒迦)Btrace intro(撒迦)
Btrace intro(撒迦)ykdsg
 
通用Mock平台在支付宝测试的实践
通用Mock平台在支付宝测试的实践通用Mock平台在支付宝测试的实践
通用Mock平台在支付宝测试的实践drewz lin
 
網路技術心得分享
網路技術心得分享網路技術心得分享
網路技術心得分享Mux Baxer
 
腾讯大讲堂46 自由cgi之路v3
腾讯大讲堂46 自由cgi之路v3腾讯大讲堂46 自由cgi之路v3
腾讯大讲堂46 自由cgi之路v3George Ang
 
⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨Wen-Tien Chang
 

Similar to 閱讀文章分享@若渴 2016.1.24 (20)

COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺COSCUP 2016 - LLVM 由淺入淺
COSCUP 2016 - LLVM 由淺入淺
 
COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺COSCUP2016 - LLVM框架、由淺入淺
COSCUP2016 - LLVM框架、由淺入淺
 
美团前端架构简介
美团前端架构简介美团前端架构简介
美团前端架构简介
 
谈谈模块化
谈谈模块化谈谈模块化
谈谈模块化
 
twMVC#22 | 什麼鬼的IOC與DI
twMVC#22 | 什麼鬼的IOC與DItwMVC#22 | 什麼鬼的IOC與DI
twMVC#22 | 什麼鬼的IOC與DI
 
构建可维护的Javascript 小米网
构建可维护的Javascript 小米网构建可维护的Javascript 小米网
构建可维护的Javascript 小米网
 
A
AA
A
 
java title
java titlejava title
java title
 
构建可扩展的微博系统
构建可扩展的微博系统构建可扩展的微博系统
构建可扩展的微博系统
 
08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x08 gaming framework design based on cocos2d-x
08 gaming framework design based on cocos2d-x
 
广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化广告投放代码和创意代码持续优化
广告投放代码和创意代码持续优化
 
为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)为啥别读HotSpot VM的源码(2012-03-03)
为啥别读HotSpot VM的源码(2012-03-03)
 
Build desktop app_by_xulrunner
Build desktop app_by_xulrunnerBuild desktop app_by_xulrunner
Build desktop app_by_xulrunner
 
網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享網站程式資安白箱與黑箱檢測處理經驗分享
網站程式資安白箱與黑箱檢測處理經驗分享
 
Btrace intro(撒迦)
Btrace intro(撒迦)Btrace intro(撒迦)
Btrace intro(撒迦)
 
通用Mock平台在支付宝测试的实践
通用Mock平台在支付宝测试的实践通用Mock平台在支付宝测试的实践
通用Mock平台在支付宝测试的实践
 
網路技術心得分享
網路技術心得分享網路技術心得分享
網路技術心得分享
 
腾讯大讲堂46 自由cgi之路v3
腾讯大讲堂46 自由cgi之路v3腾讯大讲堂46 自由cgi之路v3
腾讯大讲堂46 自由cgi之路v3
 
vmarket in action
vmarket in actionvmarket in action
vmarket in action
 
⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨⼤語⾔模型 LLM 應⽤開發入⾨
⼤語⾔模型 LLM 應⽤開發入⾨
 

More from Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IAj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoinAj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of TrustzoneAj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for CodeAj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cacheAj MaChInE
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 

More from Aj MaChInE (12)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 

閱讀文章分享@若渴 2016.1.24

  • 2. 關注動態方式 • 閱讀文章我先找出 • 有沒有fb粉專 • 有沒有YouTube訂閱 • Twitter • FB其實蠻好用的 • 粉專->點讚->搶先看 • 每天打開fb看的都是關於資安的新聞 • 分享至自己動態,告知自己要看什麼
  • 3. SMI到底是軟還是硬呢XD?可軟可硬 • SMM code completely unaccessible from OS and OS can’t even notice when exactly SMI is being executed. There’s a several ways to generate SMI: • Ring 0 code can trigger software SMI at any time by writing some byte value to APMC I/O port B2h. • Internal chipset registers (SMI_EN, GEN_PMCON_1 and others) that accessible via PCI config space allows to enable or disable different kind of hardware SMI sources. • You can route hardware interrupts into SMM by reconfiguring of advanced programmable interrupt controller (APIC) that integrated into CPU. • I/O instruction restart CPU feature (chapter 34.12 of IA-32 Architectures Software Developer’s Manual) allows to generate SMI on any I/O port access by IN or OUT processor instruction. 節錄Building reliable SMM backdoor for UEFI based platforms
  • 4. Outline •The memory sinkhole •Undefined behavior: what happed to my code •The impact of GPU-assisted malware on memory forensics: a case study •SLOTH •ATM HTTPS bicycle attack
  • 5. The Memory Sinkhole • In Intel, Ring 3 – Userland, Ring 0 – Kernel, Ring-1 - Hypervisor, Ring-2 – SMM has the firmware, all the most critical security checks • SMM hides from Ring 0 • System Management RAM (SMRAM) is only accessible to SMM • SMM handler • System Management Interrupt (SMI) toggles SMM • SMM handler • 抓DSC structure(Global Descriptor Table, Segment selectors,..)來對此結構初始化 • Attack技巧 • 使用APIC remap,把APIC payload (都為0)對應至DSC structure (SMRAM) • 經過SMM handler執行完會跳至0x10:0x8077的位置去執行。
  • 6. SMM Security 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
  • 7. The APIC Remap Attack 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
  • 8. 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
  • 9. Undefined Behavior: What Happed to my Code • Undefined behavior • Null Pointer Dereference • Oversize Shit • Singed Integer Overflow • Out-of-Bounds Pointer • Type-Punned Point Deference • Uninitialized Read • 程式碼的行為在C規格書上沒有定義,而c沒有定義的行為,各個 compiler會有不同狀況的處理,有可能把code移除,造成跟預期 結果不一樣,產生漏洞主角: compiler。= =||
  • 10. Out-of-Bounds Pointer • 指標的加減是Undefined behavior,所以要來看compiler會做什麼事, 如下code • end < buf 會被Clang轉成 • buf + size < buf • size < 0 • 之後它會刪除if (end < buf) { ... } 整個branch ,原本要避免Singed Integer Overflow (!!)
  • 11. Type-Punned Point Deference • C有嚴格限制aliasing(兩個指標指向同一個記憶體做存取),但你往 往會aliasing導致undefined behavior,此行為會導致compiler沒辦 法最佳化 • 使用C的union,告知compiler我們是 一樣的,如以下code 節錄http://stackoverflow.com/questions/98650/what-is-the-strict-aliasing-rule
  • 12. PIC/GSM Address Space Layout on Intel Haswell • PIC bus for GPU or DMA • CPU view • MMIO有一部分保留給PIC bus • DRAM view • MMIO記憶體範圍是看不到的,所以就看不到PIC bus • Intel解法 • 在CPU view上設定位置TOLUD至4GB給MMIO,所以DRAM view 就可以看到相同的位置空間。 • Graphic Stolen Memory (GSM) • CPU view大部分不能存取的,有GTT部分可以存取。 • 組成 • Graphics Translation Tables (GTT) : 告知GPU virtual-to-physical 可由BIOS階段設定 • Data Range (programming space)
  • 13. The Impact of GPU-assisted Malware on Memory Forensics: a Case Study • 建立buffer object 在Graphics Execution Manage (GEM) subsystem(不 在GSM裡),可被CPU和GPU domains看到,使用不同的virtual address • OS page table • graphic page table • 攻擊手法 • GPU修改在GSM的graphic page table,原本對應 buffer object但可經由修 改存取到CPU使用memory的資料。

Editor's Notes

  1. 我要怎使用APIC? *MMIO *從取 APIC 0xfee000000~0xfee01000 來存取體資訊與行為設定。例如: 讀processor ID APIC can relocated 我可以搬移MMIO的位置 MCH memory controller hub APIC registers mapped to processor memory at 0xfee00000 – 0xfee01000 APIC registers的map是可relocated